Risk Management After the Federal Reserve’s Final FBO Rule AIBA Annual Compliance Seminar Arthur S. Long June 20, 2014

Overview FBO Risk Management Prior to the Dodd-Frank Act The Dodd-Frank Statute: Section 165 Final FBO Rule – Tailored Application Final FBO Rule – IHC FBOs Final FBO Rule – ≥$50 billion U.S. asset FBOs Final FBO Rule – <$50 billion U.S. asset FBOs Final FBO Rule – publicly traded FBOs with assets ≥ $10 billion Capital Planning and the Risk Management Function Provisions for All Banking Entities – Volcker Rule

FBO Risk Management Prior to the Dodd-Frank Act SR Letter 08-8, Compliance Risk Management Programs and Oversight at Large Banking Organizations with Complex Compliance Profiles, October 16, 2008 “Each FBO supervised by the Federal Reserve should implement a compliance program that is appropriately tailored to the scope, complexity, and risk profile of the organization’s U.S. operations.” “FBOs with large, complex U.S. operations should implement compliance programs for these operations that have more robust processes [related to compliance risk] . . . than . . . FBOs with smaller, less-complex U.S. operations.” “A[n] FBO, however, has flexibility in organizing its oversight structure. Compliance oversight of U.S. activities may be conducted in a manner that is consistent with the FBO’s broader compliance risk management framework. Alternatively, a separate function may be established specifically to provide compliance oversight of the organization’s U.S. operations.”

FBO Risk Management Prior to the Dodd-Frank Act Guidance for the Supervision of the Combined U.S. Operations of Foreign Banking Organizations that are Large Complex Banking Organizations, October 16, 2008 “In all instances, the adequacy of each primary risk management or control mechanism for U.S. operations depends on the appropriateness of the following”: Control infrastructure and governance Appropriate policies, procedures and internal controls Adequate risk identification and measurement systems and processes Monitoring and testing of controls Processes for identifying, reporting, and escalating risk issues Ability to implement corrective actions Independence of staff Integrating risk management objectives within management goals and compensation structure

FBO Risk Management Prior to the Dodd-Frank Act Guidance for the Supervision of the Combined U.S. Operations of Foreign Banking Organizations that are Large Complex Banking Organizations, October 16, 2008 Identifies “[k]ey elements that should be identified and understood” by supervisors: The FBO’s primary U.S. business strategies The FBO’s significant business activities, including budget and internal capital allocations U.S. business line and legal entity structure Risk management governance – head office, regional and local oversight; reporting relationships with the head office; control functions and MIS for U.S. risk Funding and liquidity structure U.S. operations’ presence in critical financial markets

The Dodd-Frank Statute: Section 165 Enhanced prudential standards for ≥ $50 billion BHCs Permits “tailored application” by the Federal Reserve Enhanced prudential standards must include, inter alia, liquidity requirements and “overall risk management” requirements For FBOs, Federal Reserve must give due regard to the principle of national treatment and equality of competitive opportunity For FBOs, Federal Reserve must also take into account the extent of comparable home country standards applied on a consolidated basis For ≥ $10 billion BHCs, Federal Reserve must issue regulations requiring each such company that is publicly traded to establish a risk committee

Final FBO Rule: Tailored Application FBOs with ≥ $50 billion in total assets and ≥ $50 billion in U.S. nonbranch assets FBOs with ≥ $50 billion in total assets and ≥ $50 billion in combined U.S. assets FBOs with ≥ $50 billion in total assets and < $50 billion in combined U.S. assets Publicly traded FBOs with ≥ $10 billion but < $50 billion in total assets

Final Section 165 Rule: IHC FBOs FBOs with ≥ $50 billion in total assets and ≥ $50 billion in U.S. nonbranch assets must form IHCs Risk management: IHC FBOs must maintain an IHC risk committee as a committee of the board of directors (or equivalent body) of the IHC The risk committee is charged with overseeing the IHC’s risk management framework. It will also usually oversee the risk-management framework of the combined U.S. operations. It must: meet at least quarterly and must fully document and maintain records of its proceedings, including risk-management decisions; and have at least one member with experience in identifying, assessing, and managing risk exposures of large, complex financial firms and at least one independent member. The independent member must not be an officer or employee of the FBO or its affiliates and have not been an officer or employee of the FBO or its affiliates during the previous three years, and not be a member of the immediate family of a person who is, or has been within the last three years, an executive officer of the FBO or its affiliates.

Final Section 165 Rule: IHC FBOs In addition, the IHC FBO must have a U.S. Chief Risk Officer (CRO) The U.S. CRO must have experience identifying, assessing, and managing risk exposures of large, complex financial firms and be located in the U.S. The U.S. CRO is tasked with reporting directly and regularly providing information to the U.S. risk committee and the FBO’s global Chief Risk Officer regarding the nature of and changes to material risks undertaken by the FBO’s combined U.S. operations Reporting obligations includes reporting on risk-management deficiencies and emerging risks, and how such risks relate to the global operations of the FBO The U.S. CRO is expected to receive compensation and other incentives consistent with providing an objective assessment of the risks taken by the combined U.S. operations of the FBO

Final Section 165 Rule: IHC FBOs An IHC FBO must also establish a liquidity risk management review function that is independent of the management functions that execute funding for the combined U.S. operations. This function is responsible for: Production of comprehensive cash flow projections, with short-term projections updated daily and long-term projections updated monthly Liquidity stress testing, at least monthly, for both the branch/agency network and the IHC; results of stress testing used in determining the size of the liquidity buffer and for purposes of contingency funding planning Stress test results to be reported to the Federal Reserve, along with results of any home country stress tests

Final Section 165 Rule: ≥ $50 billion U.S. asset FBOs FBOs with ≥ $ 50 billion in total assets and ≥ $50 billion in combined U.S. assets but with nonbranch assets < $50 billion are subject to similar but modified requirements There must be a risk committee for the combined U.S. operations, which may be maintained as a committee of the FBO’s own board of directors, on a standalone basis, or as a joint committee with the FBO's enterprise-wide risk committee The risk committee has similar responsibilities for the combined U.S. operations as the IHC risk committee, and is subject to the requirements of at least one independent member and one member with experience regarding risk exposures of large, complex firms The FBO must also appoint a CRO for its combined U.S operations, who must be located in the United States The CRO has responsibilities similar to those of an IHC’s CRO There must also be a liquidity risk management review function similar to that for IHC FBOs, focused on the combined U.S. operations

Final Section 165 Rule: < $50 billion U.S. asset FBOs With respect to risk management, such FBOs must annually certify to the Federal Reserve that they maintain a committee of their global board of directors, on a stand-alone basis or as part of their enterprise-wide risk committee, that: Oversees the risk management policies of the combined U.S. operations of the FBO; and Includes at least one member having experience in identifying, assessing, and managing risk exposures of large, complex firms. In addition, such FBOs must take appropriate measures to ensure that their combined U.S. operations implement the risk management policies overseen by the risk committee, and that their combined U.S. operations provide sufficient information to the risk committee to enable the risk committee to carry out its responsibilities. If an FBO does not comply with these requirements, the Federal Reserve may impose "requirements, conditions, or restrictions" on the FBO's U.S. operations. The Federal Reserve must provide prior notice to an FBO, and must allow the FBO to submit a request for reconsideration, before taking such actions.

Final Section 165 Rule: < $50 billion U.S. asset FBOs FBOs with ≥ $50 billion in total assets and < $50 billion in U.S. assets are subject to more limited liquidity risk management requirements With respect to liquidity, such FBOs must report to the Board on an annual basis the results of an internal liquidity stress test for either the consolidated operations of the FBO or its combined U.S. operations The liquidity stress tests must be conducted consistently with the Basel Committee principles for liquidity risk management and must incorporate 30-day, 90-day, and one-year stress-test horizons An FBO that does not comply with this requirement must limit the net aggregate amount owed by the FBO’s non-U.S. offices and its non-U.S. affiliates to the combined U.S. operations to 25 percent or less of the third party liabilities of its combined U.S. operations, on a daily basis

Final Section 165 Rule: Publicly Traded ≥ $10 billion FBOs FBOs that are publicly traded and that have ≥ $10 billion in assets but < $50 billion must certify, annually, that they maintain a committee of their global board of directors (or equivalent), on a standalone basis or as part of their enterprise-wide risk committee, that: oversees the risk management policies of the FBO’s combined U.S. operations; and includes at least one member with experience in managing risk exposures of large, complex firms.

Capital Planning and the Risk Management Function The Federal Reserve’s capital planning regime has shown itself to be another area where the risk management function is a key area of supervisory focus The Federal Reserve’s final capital plan rule states that capital plans may be objected to if the [FBO] has “material unresolved supervisory issues, including but not limited to issues associated with its capital adequacy process” In 2014, certain capital plans were objected to for risk management reasons: governance and internal controls risk identification and risk-management management information systems

Volcker Rule Applies to all “banking entities” Tiered structure for compliance program relating to Rule’s prohibitions on proprietary trading and private fund activities FBOs with total U.S. assets of $50 billion or more (or that have to report metrics based on trading assets, where the threshold declines to total combined U.S. trading assets of $10 billion or more by 2016) Banking entities with total U.S. assets of more than $10 billion Banking entities with total U.S. assets of $10 billion or less

Risk Management After the Federal Reserve’s Final FBO Rule Arthur S. Long is a partner in the New York office of Gibson, Dunn & Crutcher, where he is a Co-Chair of the Firm’s Financial Institutions Group and a member of the Securities Regulation Group.  Mr. Long focuses his practice on financial institutions regulation, advising on the regulatory aspects of M&A transactions; bank regulatory compliance issues; Dodd- Frank issues, including the regulation of systemically significant financial institutions (SIFIs) and related heightened capital and liquidity requirements; resolution planning; and Volcker Rule issues with respect to bank proprietary trading and private equity and hedge fund operations.  He also has significant experience with bank securities offerings and issues particular to foreign banks operating or seeking to operate in the United States.  Among Mr. Long’s recent publications are The Financial Services Regulation Deskbook, the Practising Law Institute treatise on the Dodd-Frank Act, and “The New Autarky?  How U.S. and UK Domestic and Foreign Banking Proposals Threaten Global Growth,” a Policy Analysis of The Cato Institute. ALong@gibsondunn.com T: +1 212.351.2426